The Court of Appeal recently handed down a decision which gives useful judicial guidance on the definition of ‘personal data’ under UK data protection law and the responsibility on organisations to keep personal data secure.
DSG Retail Limited v The Information Commissioner [2026] EWCA Civ 140 is concerned with events from 2017 and 2018 when the old Data Protection Act 1998 (DPA 1998) was in force. As such the judgement is persuasive rather than binding on UK courts when deciding on issues under the current law; namely the UK GDPR and Data Protection Act 2018.
The background to the case is that, in 2017, DSG Retail Limited (the parent company of Dixons and Currys PC World) (DSG) suffered a cyberattack targeting point of sale systems in all its shops. Over a nine month period, attackers deployed malware to scrape transaction level card data and attempted to exfiltrate the captured information. More than 5.6 million payment cards were affected; though the majority consisted only of the 16-digit payment card numbers and expiry dates (together referred to as ‘EMV data’). Crucially, the attackers did not obtain any information that could directly identify the cardholders.
In 2020, the ICO fined DSG £500,000 for breach of the data security principle.
This
was the maximum fine under the DPA 1998. There then followed a series
of appeals. The First Tier Tribunal (FTT) upheld the ICO’s
findings but reduced the fine by half.
The Upper Tribunal (UT) in setting aside the FTT’s decision held that the data security principle under the DPA 1998 applies to only to ‘personal data’ i.e. information about living, identifiable, individuals. The data in question, EMV data, did not constitute ‘personal data’ from the attackers’ perspective because the attackers could not link it to specific individuals. As a result, the UT held that DSG did not have any security obligations with respect to such data.
Following an appeal by the ICO, the Court of Appeal (CoA) has now overturned the UT’s ruling. The CoA held that the Data Controller (in this case DSG) is required to comply with the data security principle under the DPA 1998 with respect to data that is ‘personal’ from the perspective of the Data Controller, regardless of whether the data might not be personal ‘in the hands of’ or ‘from the perspective’ of any other person.
The CoA considered it implausible that (absent an explicit statement)
Parliament intended to limit the scope of the data security duty so
that a Data Controller would have no obligation to protect some parts of
the data provided by the Data Subject. The CoA also noted the potential
consequences of a contrary reading; there would be no obligation for
the Data Controller to protect data when a third party would be unable
to identify the Data Subject from that data. In the Court’s view,
third-party interference with data, even where the attacker is unable
to identify the Data Subjects, can still be harmful. Moreover, the Court
found it impractical to put Data Controllers in a position where,
in determining their data security obligations, they would need to
assess whether attackers could
re-identify individuals via ‘jigsaw’ techniques.
The case will now return to the FTT to apply the Court of Appeal’s
interpretation of the law to the facts of the DSG cyberattack.
More -
https://actnowtraining.blog/2026/03/02/is-data-still-personal-if-the-recipient-cannot-identify-the-data-subject/
